Before taking to the clouds… A few things to consider by PwC Luxembourg
Not all cloud platforms are equal
There is a large variety of offerings in the market, but buyer beware. Many so called public cloud offerings do not actually provide all the functionality required and fail to meet the generally accepted NIST definition (from NIST SP 800-145, The NIST Definition of Cloud Computing). In addition, most private clouds offered to the public are just rebranding of past offerings – their virtual hosting platform is now a “cloud”.
Purchasing the cloud is just as important as using it. The procurement function should consider a review of software licenses and current contracts to understand the impact of a move to a cloud provider. Not all licenses define virtualisation the same, and often a customer’s desire to examine their license schemes with their software vendor becomes a sales opportunity. Knowing all options before having the discussion, including the feasibility of switching to open source or using the cloud provided “pay as you go” licensing.
A typical component of IT outsourcing is the definition of an infrastructure exit strategy, ensuring the customer can be prepared to leave the chosen cloud platform, either by “rolling back” to its previous provider or by “rolling forward” to another cloud platform. Both ensure having the flexibility to adjust to changing technology trends as well as unexpected political situations that could force a change to the strategy, but advances in technology and maturity of the offerings must be considered before making the change. What was previously the best decision probably needs a closer look this time around.
Governance models ensure the organisation uses its resources in the best interest of the business, and usually expressed as control domains, along with associated policy documents. Moving to Public Cloud involves many changes in important aspects of daily IT operations and decision-making, a governance process around cloud adoption is recommended before the transition to cloud.
The basic premise of security in the cloud is that it is the same as on-premises security, but different. The tenants of confidentiality, integrity, and availability remain, though the tools and means of assuring them are modified based on what’s available on the cloud platform as well as what’s abstracted from the user as part of the provider’s shared security model.
Managing the security in a public cloud
Understanding and securing access to a public cloud environment is critical to cloud adoption success. Security in a public cloud environment can however be tricky. Access control mechanisms for cloud providers are typically separate from internal organisational processes and may fall outside approved and documented methods to manage access. In the end, extending an organisation’s identity services into the cloud is a necessary requirement towards strategic use of on-demand computing services.
The cloud shared security model is different for each provider, and depicts the trade-off allowing someone else to manage the hardware and hypervisor in an efficient manner based on very large scale and the customers managing the specific aspects of their environment based on their application requirements. For example, the cloud provider manages the patching of the hypervisor and provides a set of allowable operating system versions allowed on their platform, and the user is responsible for patching their virtual instances and installing the correct versions of required applications. There is a sliding scale of allowances made when transitioning from IaaS to PaaS and SaaS. The cloud provider takes on increasing responsibilities for managing applications while the user benefits from the increased abstraction to concentrate on the activities that give the best benefits.
Certification ensures that cloud providers adopt best practices and provide third party attestation guaranteeing their level of compliance. Certification also gives organisations assurance the provider can accept or minimise the risk transferred as part of the outsourcing during procurement. The challenge for a customer of a cloud provider is to determine which is most applicable to their operating environment and to adapt their existing processes to seamlessly map cloud controls to their own.
While entering into an agreement with a cloud provider is the same as negotiating a contract with any outside vendor, procurement and legal groups should address specific points based on the potential impact to business services. First, ensuring that any technological solution fully complies with the applicable EU Data Protection legislation (i.e. Regulation (EC) 45/2001, or the upcoming General Data Protection Regulation) is essential.
Cloud contracts are often complex and contain many clauses that may have significant implications on the organisations such as SLA, data security, responsibilities, infrastructure availability and ongoing pricing and support. As cloud deployments provide limited physical control over infrastructure, limited vulnerability assessments, and limited availability of audit logs and activity monitoring, it is critical to have a robust governance process around vendor contracts, terms and conditions.
- Has a formal risk assessment been conducted prior to contract negotiation with vendor?
- Have the following provisions been considered as part of contract negotiations: confidentiality, limitation of liability, indemnification, service termination, service level agreements and non-performance clauses, security incident procedures, ownership changes, privacy, jurisdiction, notification, and modifications?
- Has a process been established to have periodic performance reviews with the cloud provider?
- Have clear metrics been designed to evaluate the cloud provider’s performance?
- Are reporting and escalation procedures in place with the cloud provider?
Data protection and privacy become critical in a public cloud environment because important data now resides outside the organisations’ firewall and a breach could result in major ramifications.
Data security governance in a public cloud environment must deal with elasticity, multi-tenancy, and abstracted controls along with data identification, control, confidentiality, integrity and availability.
For many organisations, the cloud seems to be an easy path to the IT Infrastructure Promised Land… However, there are a few things to consider before the journey to the cloud…
Join us at the ICT Spring 2017 and explore the potential of cloud solutions with our workshop « Emerging IT Trends and Technologies – How to prepare your infrastructure » – with Todd Hildebrant, PwC Luxembourg Cloud and Infrastructure Technology Leader (Tech Summit programme).
Communicated by PwC Luxembourg